New Release: Tor Browser 14.0.4

by morgan | January 8, 2025

Tor Browser 14.0.4 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 14.0.3 is:


This is a companion discussion topic for the original entry at https://blog.torproject.org/new-release-tor-browser-1404
3 Likes

There is something strange about this update. First it downloads 8 MB. Then it restarts. Then it downloads 122MB (or something, I do not remember the exact amount), and then restarts again. Is this intentional or unintentional?

Also, on a more general note, I heard the other day about an issue where over 30 chrome extensions were hacked and infected people via auto-updates. Is it safe to auto-update Tor Browser without first investigating the update or looking into seeing if there have been any problems? I can imagine that hacking into the distribution channels and pushing out a malicious update would be quite appealing for any cybercriminal or government.

1 Like

Did you update from an older 13* version - we sometimes have watersheds (and I know there was one between the almost last version of 13 and the start of 14). IDK if we also have the Mozilla ones, but we do have our own as well

https://firefox-source-docs.mozilla.org/update-infrastructure/index.html#watershed-updates

I updated from 14.0.3 to 14.0.4. I did this for both the regular tor browser and a tor browser within Whonix Workstation. Both exhibited the same update behavior.

1 Like

You can choose to manually update Tor Browser, and yes, there is a secure audit periodically.

happened with me too

I think the problem was caused by Bug 41313: Add StartupNotify=true to .desktop files (c410a399) · Commits · The Tor Project / Applications / tor-browser-build · GitLab.
The launch script updates start-browser.desktop, which makes the partial update fail when we update the original file.

As for the updates, we have our own keys for the browser.
However, you don’t need to trust them, as our builds are reproducible.
So, you can rebuild the browser on your machine (Linux x86_64 with user namespaces are needed), and check your output matches our (unsigned) build.
It’s very easy to compare the Linux binaries we ship (the signature is a disjoint PGP signature), easy enough to compare Windows ones (you need to extract the installer, or to strip its signature), and very involved on macOS (I’m not sure how to strip signatures on macOS).

As for extensions, we trust Mozilla.
So, if you don’t trust them, you shouldn’t install them in the first place (and it’s recommended you don’t in any case, as some extensions are fingerprintable).
The only exception is NoScript, which cannot be uninstalled, but we ship the latest version available with the browser, and the NoScript developer is also part of the Tor Browser team.

5 Likes